b"OFFICE OF INSPECTOR GENERAL\n\nAUDIT OF USAID\xe2\x80\x99S\nIMPLEMENTATION OF KEY\nCOMPONENTS OF A PRIVACY\nPROGRAM FOR ITS\nINFORMATION TECHNOLOGY\nSYSTEMS\n\n\nAUDIT REPORT NO. A-000-15-001-P\nOCTOBER 10, 2014\n\nWASHINGTON, DC\n\x0cThis is a summary of our report on the Audit of USAID\xe2\x80\x99s Implementation of Key Components of\na Privacy Program for Its Information Technology Systems.\n\nThe Privacy Act of 1974, as amended, defines the rights and responsibilities for maintaining,\nprotecting, and disclosing personal information. The act requires that agencies:\n\n\xe2\x80\xa2   Publish notices describing systems of records.\n\n\xe2\x80\xa2   Make reasonable efforts to maintain accurate, relevant, timely, and complete records about\n    individuals.\n\n\xe2\x80\xa2   Manage those records in a way to ensure fairness to individuals in agency programs.\n\nThe U.S. Congress and Office of Management and Budget (OMB) have instituted a number of\nlaws and regulations that govern protection of individuals\xe2\x80\x99 privacy. OMB issued Memorandum\nM-03-22, \xe2\x80\x9cOMB Guidance for Implementing the Privacy Provisions of the E-Government Act of\n2002\xe2\x80\x9d (September 26, 2003), which requires federal agencies to (1) conduct privacy impact\nassessments for electronic information systems and collections and, in general, make them\npublicly available, and (2) post privacy policies on agencies\xe2\x80\x99 public Web sites.\n\nOIG conducted this audit to determine whether USAID implemented key components of a\nprivacy program for its information technology systems to mitigate the risk of violations against\nkey privacy requirements. For this audit, \xe2\x80\x9ckey components\xe2\x80\x9d of a privacy program are (1) privacy\nmanagement structure, including clear assignment of roles and responsibilities, (2) policies and\nprocedures, (3) awareness and training, and (4) monitoring for compliance.\n\nThe audit found that USAID did not implement these key components because it did not do the\nfollowing:\n\n\xe2\x80\xa2   Designate a senior agency official for privacy. Therefore, the Agency did not have a senior-\n    level individual who is responsible for making sure it complies with privacy laws, regulations,\n    and policies.\n\n\xe2\x80\xa2   Fully provide basic privacy training. Thus, employees may not know how to handle\n    personally identifiable information (PII), which puts the Agency at risk of privacy breaches\n    and incidents.\n\n\xe2\x80\xa2   Fully provide role-based privacy training. Employees who handle PII regularly may not have\n    the knowledge and skills needed to protect the information and therefore are at risk of\n    causing a breach.\n\n\xe2\x80\xa2   Complete system of records notices for three of four judgmentally selected systems. People\n    do not have an opportunity to review their records for accuracy if they do not know the\n    system of records exists. Further, any officer or employee who willfully maintains a system\n    of records without meeting the Privacy Act of 1974, as amended, is guilty of a misdemeanor\n    and may be fined up to $5,000.\n\n\xe2\x80\xa2   Complete privacy impact assessments for its third-party Web sites. Thus, USAID did not\n    make sure that it collected information in conformance with applicable legal, regulatory, and\n    policy requirements.\n\n                                                                                                 1\n\x0c\xe2\x80\xa2   Post privacy notices for six judgmentally selected third-party Web sites that made PII\n    available to the Agency. People may not understand the potential impact on their privacy\n    when they use third-party Web sites that make their PII available to the Agency.\n\n\xe2\x80\xa2   Address all requirements in the Agency\xe2\x80\x99s privacy breach notification procedures. Therefore,\n    USAID\xe2\x80\x99s Breach Response Team may not fully understand how to handle a privacy breach.\n\n\xe2\x80\xa2   Provide working links on the Agency\xe2\x80\x99s external Web site to system of record notices and the\n    privacy impact assessment for AIDNet, the Agency\xe2\x80\x99s computer network. Thus, the public\n    may not be aware of what PII the Agency is collecting or how the Agency collects, uses, and\n    stores PII in AIDNet.\n\n\xe2\x80\xa2   Update its electronic records disposition schedule. As a result, USAID cannot be sure that\n    Agency officials know when to dispose of electronic records that contain PII.\n\n\xe2\x80\xa2   Require in its privacy impact assessment procedures that the assessments address how\n    people can consent to provide information for particular uses. Members of the public may\n    not have been fully aware that certain actions they take may imply their consent.\n\nAlthough some of these weaknesses have other attributing causes, most of them can be\nattributed to the following three; USAID (1) did not make its privacy program a priority within the\norganization, (2) had a material weakness 1 due to its decentralized information technology\nsecurity program, and (3) allocated a questionable level of resources to the program.\n\nTo address the weaknesses, this report contains 34 recommendations to help USAID\nstrengthen its privacy program. Based on our evaluation of USAID\xe2\x80\x99s management comments\nand other communications, we acknowledge management decisions on all 34 and final action\non 7.\n\n\n\n\n1\n  OMB Circular A-123, \xe2\x80\x9cManagement's Responsibility for Internal Control\xe2\x80\x9d (December 21, 2004) defines a\nmaterial weakness as a control deficiency that the agency head determines to be significant enough to\nreport outside of the agency.\n\n                                                                                                    2\n\x0cU.S. Agency for International Development\n       Office of Inspector General\n      1300 Pennsylvania Avenue, NW\n          Washington, DC 20523\n            Tel: 202-712-1150\n            Fax: 202-216-3047\n           http://oig.usaid.gov\n\x0c"